allow-update in global options (was Re: bind and certbot with dns-challenge)
each at isc.org
Wed Apr 3 23:08:22 UTC 2019
On Tue, Apr 02, 2019 at 06:28:02PM +0200, Alan Clegg wrote:
> The answer to your question is: "someone at ISC".
Oh, I'm willing to take the public blame here, Alan. It's not like the
commits don't have my name on them.
The code the processes allow-update was written in an oddly circuitious
fashion, and this combined with a badly misleading C comment led me to
believe that allow-update and update-policy had the same rules about
where they could be set - and, update-policy can only be set in zone
statements. (This is personally embarrassing, but if you read the relevant
code and comments in configure_view() you might see how easy it is to be
I actually do still think that *ought* to be the rule for allow-update,
but it wasn't, so when I cleaned things up I cleaned them up wrong, mea
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users